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We claim: 

1. A method for controlling access to file s ystem r esources in a c omputer s ystem 
through the use of externally stored attributes comprising the steps of: 

generating a file identifier corresponding to each file system object that will have 
5 protected and controlled access; 

storing a record of each said file identifier and associated protected object name 
for each said file system object in a database, such that there is a file identifier to 
protected object name map for each file system object; 

searching the database, at the initiation of a file system object access attempt to 
10 determine if the attempted access is to a protected file system object; and 

generating an authorization decision for access to said file system object in 
response to said file system object access attempt. 

2. The method as described in claim 1 wherein the step of generating a file identifier 
15 for a file system object comprise: 

obtaining an attribute of the physical location of a file system object; 
obtaining the name of the file system object; and 

coupling the physical location attribute to the file system object name to produce 
the file identifier for a particular file system object. 

20 

3. The method as described in claim 2 wherein the search of the database is 
performed using the generated file identifier. 

4. The method as described in claim 3 wherein said search is to find a match 
25 between a file identifier and protected object name in the database. 

5. The method as described in claim 3 wherein access to a file is granted if a search 
of the database does not produce a protected object name match for the file identifier. 

30 6. The method as described in claim 4 wherein an authorization decision is to deny 
access to a protected file system object found during a search of the database. 
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7. The method as described in claim 1 wherein said storing record step comprises 
mapping the file identifier to a protected object name for a protected file system object. 

5 8. The method as described in claim 4 wherein said decision authorization step 
comprises calling an access decision component to obtain an access decision for a found 
match between a file identifier and a protected object name. 

9. The method as described in claim 8 wherein said access decision is based on 
10 specific protections for the file system object for which there is a request for access, said 

specific protections being stored in a master database. 

10. A method for enforcing security policies over file system objects in a computer 
system using an external authorization program and comprising the steps of: 

15 associating a security policy to a protected file system object, said security policy 

capable of granting access to said protected file system object; 

upon an access request to a file system object, checking all protected file system 
objects using a file identifier to determine if the access request is to a protected object 
file; and 

20 generating an authorization decision for access to said file system object in 

response to said file system object access attempt. 

11. The method as described in claim 10 wherein said associating step comprises: 
generating a file identifier corresponding to each file system object that will have 

25 protected and controlled access; 

storing a record of each said file identifier and associated protected object name 
for each said file system object in a database, such that there is a file identifier to 
protected object name map for each file system object; 



30 
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12. The method as described in claim 11 wherein the steps of generating a file 
identifier for a file system object comprise: 

obtaining an attribute of the physical location of a file system object; 
obtaining the name of the file system object; and 
5 coupling the physical location attribute to the file system object name to produce 

the file identifier for a particular file system object. 

13. The method as described in claim 10 wherein the step of checking all protected 
file system objects comprise searching the database, at the initiation of a file system 

10 object access attempt to determine if the attempted access is to a protected file system 
object. 

14. The method as described in claim 13 wherein said search is to find a match 
between a file identifier and protected object name in the database. 

15 

15. The method as described in claim 10 wherein said access authorization decision 
step comprises determining whether to grant access to the requested file system object 
using security policy rules contained in the external authorization program. 

20 16. The method of claim 10 wherein access to a requested file system object is 
granted if a search f the database does not produce a protected object file system object. 

17. The method as described in claim 14 wherein an authorization decision is to deny 
access to a protected file system object found during a search of the database 

25 

18. A method for generating a file identifier for use in controlling access to file 
system resources in a computer system comprising the steps of: 

obtaining a unique physical attribute of the file system object; 
obtaining the name of the file system object; and 
30 constructing a file identifier for that file system object from said unique physical 

attribute and said file system object name. 
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19. The method as described in claim 18 further comprises an initial step of 
generating a data structure having a pointer to an index related to the physical location of 
the requested file resource in the file system and a pointer to a directory containing the 
requested file resource. 

5 

20. The method as described in claim 19 wherein the step of obtaining a unique 
physical attribute comprises the step of retrieving a file location number where the 
requested file system resource resides. 

10 21. The method as described in claim 20 wherein said file location number can be 
retrieved from an index containing file space numbers or from a serial number generated 
using a programming interface. 

22. The method as described in claim 21 wherein the step of obtaining the name of 
15 the file system object further comprising: 

opening the directory identified in that data structure; 
for each entry in the directory, reading the file location number; 
comparing said read file space number to said file location number; and 
retrieving the file name of the resource out of the directory entry. 

20 

23. The method as described in claim 22 wherein said file identifier construction step 
comprises: 

placing the index number at the beginning of the file of bytes that will be the file 
identifier; and 

25 appending the file name to the file of bytes. 

24. The method as described in claim 22 further comprising after said comparing 
step, the steps of: 

retrieving the next entry in the directory when the said comparison is not equal; 
30 determining if this entry is the last entry; and 

proceeding to read said entry, when said entry is not the last entry. 
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25. The method as described in claim 24 further comprising the step of returning no 
file identifier when no directory entry file location number equals the index file space 
number. 

5 

26. A computer program product in a computer readable medium for controlling 
access to file system resources in a computer system through the use of externally stored 
attributes comprising the steps of: 

instructions for generating a file identifier corresponding to each file system 
10 object that will have protected and controlled access; 

instructions for storing a record of each said file identifier and associated full path 
name for each said file system object in a database; 

instructions for searching the database, at the initiation of a file system object 
access attempt to determine if the attempted access is to a protected file system object; 
IS and 

instructions for generating an authorization decision for access to said file system 
object in response to said file system object access attempt. 

27. The computer program product as described in claim 26 wherein the instructions 
20 for generating a file identifier for a file system object comprise: 

instructions for obtaining an attribute of the physical location of a file system 

object; 

instructions for obtaining the name of the file system object; and 
instructions for coupling the physical location attribute to the file system object 
25 name to produce the fi le identifier for a particular file system object. 

28. The computer program product as described in claim 27 wherein the instructions 
for searching the database comprise instructions for using the generated file identifier. 
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29. The computer program product as described in claim 26 wherein said instructions 
for storing a record comprising instructions for mapping the file identifier to a protected 
object name for a protected file system object. 

5 30. The computer program product as described in claim 26 wherein said instructions 
for generating an authorization decision comprise instructions for calling an access 
decision component to obtain an access decision for a found match between a file 
identifier and a protected object name. 

10 31. A computer correctable to a distributed computing system which includes file system 
objects containing information accessed during the execution of application and system 
programs comprising: 
a processor; 

a native operating system; 
15 application programs; 

an external authorization program overlaying said native operating system and 
augmenting standard security controls of said native operating system; 

a mapping database within said external authorization program containing file 
identifier to a protected object name entries for each protected file system object; and 
20 an access decision component within said external authorization program for 

determining access to protected file system objects. 

32. The computer as described in claim 31 wherein said controlling means includes 
detecting access attempts to file system objects: 

25 determining whether said file system object is protected in the external security policy; 

and 

determining whether to grant the attempt access based on rules defined in the security 

policy. 
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